Disable Remote Desktop capabillity

This topic contains 7 replies, has 4 voices, and was last updated by Profile photo of Sam Boutros Sam Boutros 4 months ago.

  • Author
    Posts
  • #66193
    Profile photo of Brian Clanton
    Brian Clanton
    Participant

    Can someone direct me to a sample script on how to disable a clients remote desktop capability. Basically I am looking at the equivalent to disabling an entire OU of users that have the 'Deny this user permissions to logon on to Remote Desktop Session Host Server' from within the Active Directory Remote Desktop Services Profile Properties.

    AD server is running PS version 5.

  • #66201
    Profile photo of Albert van Boerum
    Albert van Boerum
    Participant

    Hi Brian,

    By default you have to enable users to use an RDS server. Can you give me some more detail about your situation?
    With this information I would say, just make a group with the users that need to have access to your RDS servers and give this group access.

    Albert

  • #66207
    Profile photo of Graham Beer
    Graham Beer
    Participant

    Hi Brian,

    I've written you a script that will do this. You can enable or disable Terminal Services through WMI.

    function Set-TerminalServices {
        param (
            [Parameter(ValueFromPipelineByPropertyName,
                ValueFromPipeline,
                Mandatory,
                Position = 0)]
            [string[]]$ComputerName,
    
            [ValidateSet('True','False')]
            [String]$EnableTerminalServices
        )
    
        begin {
            # Convert True or False from string to Boolean value
            $boolValue = [System.Convert]::ToBoolean($EnableTerminalServices)
        }
    
        Process {
            # foreach computer set value to either 'True' or 'False' for either enable for disable 
            foreach ($computer in $ComputerName){
                (Get-WmiObject -namespace 'root\CIMV2\TerminalServices' `
                    -class Win32_Terminal `
                    -ComputerName $computer).Enable($boolValue) | foreach {
    
                    #Check for a return code of '0' for success    
                    if(($_.ReturnValue) -eq [uint32]0) {
                        "{0} : {1} = {2}" -f $Computer, "Terminal Services Status", 
                            $(if ($EnableTerminalServices -eq $true) {"Enabled"} else { "Disabled"})
                    }
                    else {
                        "{0} : {1}" -f $Computer, "[Error] Failed to update Terminal Service value"
                    }
                }  
            }
        }
    
        end{} # add for completeness
    }
    

    The script will allow you to pass computers to the pipeline and allow you to either enable or disable the Terminal Service.

    'PC12345','Localhost' | Set-TerminalServices -Enable True
    
    PC12345 : Terminal Services Status = Enabled
    Localhost : Terminal Services Status = Enabled
    

    or...

    'PC12345','Localhost' | Set-TerminalServices -Enable false
    
    PC12345 : Terminal Services Status = Disabled
    Localhost : Terminal Services Status = Disabled
    

    Hope that helps.

  • #66276
    Profile photo of Brian Clanton
    Brian Clanton
    Participant

    We run a hosted terminal server environment where a majority of the clients who have hosted applications, use remote capability either through RDP or Citrix to our terminal servers. However, a small portion of our users are email only and 'should' have remote capability turned off (shut off within Active Directory Remote Desktop Services Profile).

    If I specify a client that is email hosted only, I want my script to iterate through all users within that OU to check this 'Deny' setting and check it if it is not checked.

    I have experimented with a single account and I can get the status of the setting, but I am having trouble with the 'set' statement syntax.
    However, I feel like I am taking the long way around since examples I have seen manipulate *TS* properties but I don't seem to have access to them as when I run the command get-aduser -identity bclanton | get-member.

    $bclanton = get-aduser -Identity bclanton -Properties DistinguishedName
    $bclantonDN = $bclanton | select -ExcludeProperty DistinguishedName
    
    
    $bclantonUser = [adsi]"LDAP://$bclantonDN"
    
    
    if (($bclantonUser.psbase.invokeget("AllowLogon")) -eq "1")
    {
        Write-Output "Set to 1"
    }
    else
    {
        Write-Output "Set to 0"
    }
  • #66277
    Profile photo of Sam Boutros
    Sam Boutros
    Participant

    Run one region at a time as needed, not the whole script. Edit region Input to enter your OU info..

    #region Input
    $OUName = [adsi]'LDAP://ou=PACRIM,dc=mydomain,dc=com'
    #endregion
    
    
    #region View Terminal Services 'AllowLogon' of AD users in 'OUName'
    $ADUsers = $OUName.psbase.get_children() # Get all users in the OU 
    $myOutput = foreach ($ADUser in $ADUsers) {
        New-Object -TypeName PSObject -Property @{
            DN           = $ADUser.distinguishedName | select -First 1
            TSAllowLogon = ($ADUser.AllowLogon -eq 1)
        } | Select DN, TSAllowLogon 
    }
    $myOutput| FT -a  
    #endregion
    
    
    #region Disable Terminal Services 'AllowLogon' for AD users in 'OUName'
    foreach ($ADUser in $ADUsers) {
        $ADUser.psbase.InvokeSet('AllowLogon',0)
        $ADUser.setinfo() 
    }
    #endregion
    
    
    #region Enable Terminal Services 'AllowLogon' for AD users in 'OUName'
    foreach ($ADUser in $ADUsers) {
        $ADUser.psbase.InvokeSet('AllowLogon',1)
        $ADUser.setinfo() 
    }
    #endregion
    
  • #66286
    Profile photo of Brian Clanton
    Brian Clanton
    Participant

    Perfect.
    The 'setinfo()' method was my missing link.

    After you created the new list of objects in the command:

    $ADUsers = $OUName.psbase.get_children() 

    How is one made aware of the 'setinfo()' method? In my example, I pipe the object

    $bclanton.psbase | Get-Member

    and I do not see this method.

    • #66754
      Profile photo of Brian Clanton
      Brian Clanton
      Participant

      ONly issue with the above example is that it doesn't pull just User accounts but group accounts as well.

      $ADUsers = $OUName.psbase.get_children()

      [w2k8-dc2]: PS C:\Users\administrator.XXXX\Documents> $adusers
      
      
      distinguishedName : {CN=Group-tptest,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
      Path              : LDAP://CN=Group-tptest,ou=TPTest,ou=hosted,dc=XXXX,dc=local
      
      distinguishedName : {CN=tptest1,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
      Path              : LDAP://CN=tptest1,ou=TPTest,ou=hosted,dc=XXXX,dc=local
      
      distinguishedName : {CN=tptest2,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
      Path              : LDAP://CN=tptest2,ou=TPTest,ou=hosted,dc=XXXX,dc=local
      
      distinguishedName : {CN=tptest3,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
      Path              : LDAP://CN=tptest3,ou=TPTest,ou=hosted,dc=XXXX,dc=local
      
      distinguishedName : {CN=tptest4,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
      Path              : LDAP://CN=tptest4,ou=TPTest,ou=hosted,dc=XXXX,dc=local
      
      distinguishedName : {CN=tptest6,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
      Path              : LDAP://CN=tptest6,ou=TPTest,ou=hosted,dc=XXXX,dc=local
      
      distinguishedName : {CN=tptest7,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
      Path              : LDAP://CN=tptest7,ou=TPTest,ou=hosted,dc=XXXX,dc=local
      
      distinguishedName : {CN=tptest8,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
      Path              : LDAP://CN=tptest8,ou=TPTest,ou=hosted,dc=XXXX,dc=local
    • #66819
      Profile photo of Sam Boutros
      Sam Boutros
      Participant
      $ADUsers = $ADUsers | where { $_.Path -notmatch 'group' } # excludes group accounts
      

You must be logged in to reply to this topic.